American insurance holding company Kemper Corporation has been confirmed as the latest victim in the ongoing ShinyHunters Salesforce extortion campaign, with approximately 269,300 unique email addresses added to Have I Been Pwned on May 28, 2026. The threat actors claim to hold 29GB of exfiltrated data and over 13 million records lifted from Kemper's Salesforce tenant, including PII and partial payment card information.
What Happened
ShinyHunters publicly named Kemper Corporation on its dark web leak site in April 2026 as part of a "pay or leak" extortion operation. After Kemper declined to meet the ransom demand, the group followed through by publishing massive datasets siphoned from the insurer's Salesforce environment. Kemper has officially confirmed the cybersecurity incident, engaged third-party incident response firms, and notified law enforcement. The breach is part of a broader ShinyHunters campaign that has hit hundreds of organizations using the same Salesforce-focused access vector.
What Was Taken
The exposed dataset includes 269,300 unique email addresses now indexed by HIBP, and the broader leak reportedly contains over 13 million Kemper records pulled from Salesforce alongside internal directory data and Stripe payment logs. Compromised data categories include:
- Email addresses
- Full names
- Phone numbers
- Physical addresses
- Purchase histories
- Partial credit card data: last four digits, expiry dates, and card brands
While the payment card data is partial, the combination of identity, contact, and transactional context creates a high-value dataset for targeted fraud and follow-on social engineering against Kemper's insurance customer base.
Why It Matters
Kemper joins a rapidly expanding list of ShinyHunters Salesforce victims that already includes Cisco, Snowflake, Okta, Sony, AMD, LastPass, and the roughly 1,000 organizations swept up in the Gainsight third-party compromise late last year. The pattern is now unmistakable: SaaS CRM tenants holding customer master data are the highest-yield target in the current threat landscape, and the Scattered LAPSUS$ Hunters Extortion-as-a-Service alliance has industrialized the playbook. For regulated industries like insurance, the exposure of customer PII tied to policy and payment data carries significant regulatory, litigation, and brand consequences well beyond the immediate breach disclosure.
The Attack Technique
According to ShinyHunters, the intrusion was achieved by bypassing access controls on Kemper's Salesforce environment through social engineering, consistent with the voice phishing (vishing) and OAuth abuse techniques the group has used against other Salesforce customers throughout 2025 and 2026. Operators typically impersonate IT support to coax employees into approving malicious connected apps or surrendering session tokens, granting the attackers Salesforce API access that is then used to bulk-export object data. The same operator cluster has previously leveraged supply chain pivots, including the Trivy compromise used against Cisco and the Gainsight integration abuse that fanned out to nearly a thousand downstream tenants.
What Organizations Should Do
- Audit all Salesforce connected apps and OAuth tokens; revoke any unrecognized integrations and enforce admin approval for new connected apps.
- Restrict Salesforce API access by IP allowlist, enforce phishing-resistant MFA (FIDO2) for all privileged users, and disable legacy authentication paths.
- Train help desks and frontline employees against vishing scenarios specifically targeting MFA resets and OAuth consent prompts; require out-of-band verification for any access-related request.
- Deploy Salesforce Shield or equivalent monitoring to alert on anomalous bulk data exports, Data Loader usage, and off-hours API queries.
- Inventory third-party SaaS integrations (Gainsight, Drift, Salesloft-style tools) and review their scopes against least privilege; revoke unused tokens immediately.
- For Kemper customers and affected individuals, monitor for targeted phishing and insurance-themed fraud referencing real policy details, and place fraud alerts on credit files given the partial card data exposure.
Sources: Kemper Corporation Exposes 270K Emails Following ShinyHunters Breach Claim - TechNadu